1. Technical Field of the Invention
This invention relates generally to the detection of identity theft based on fraudulent use of, or fraudulent access to, computer applications, networks, systems and devices, and more particularly to an automated system and method that uses an “Identity Register” incorporating processing logic and a database to develop, maintain and refine a Personal Identity Value representing an entity whose identity requires some form of authentication.
2. Description of the Related Art
In the following discussion, the terms “activity” and “transaction” are used for illustrative purposes. In general, activities relate to automated or electronic interactions with hardware devices or software programs, such as accessing computer systems or online web sites. Transactions relate to automated or electronic transactions, such as personal data transactions or financial transactions such as payments, fund-transfers, fund withdrawals, deposits, changes to account information, etc. Also, the term “entity” is used for illustrative purposes. In general, entities requiring authentication are individuals, data subjects or any electronic or computing devices that may be a subject whose identity requires some form of identity authentication.
Accurate authentication of the identity of users or entities engaged in automated activities or transactions requiring security is a problem that continues to grow. Many solutions have been introduced to detect or prevent unauthorized access to secure hardware and software systems that attempt to determine through various means if an entity engaging in a transaction or accessing a computer or application is the lawful and rightful user. Identity theft has become more and more pervasive and does not only facilitate financial fraud. It may be perpetrated against any computer applications, systems and services that require security and where identity authentication is needed.
There are generally two recognized categories of identity theft that are perpetrated against legitimate users of automated or electronic transactions and activities. The first is known as “financial identity theft” and is typically based upon the use of another's identity to obtain goods and services. The second, known as “identity deception” is generally based upon the use of another's identity or identifying information to intentionally deceive others.
A classic example of financial identity theft, typically synonymous with bank fraud, occurs when an offender obtains a loan from a financial institution by impersonating someone else. The offender pretends to be the victim by presenting an accurate name, address, birth-date or other information the lender requires to establish identity. Even if this information is checked against data at a national credit-rating service, the lender encounters no concerns, as all of the victim's information matches the records. The lender has no easy way to discover that the person is pretending to be the victim, especially if an original, government-issued ID can't be verified, as is the case in online, mail, telephone and fax-based transactions. The offender keeps the money from the loan, the financial institution is never repaid and the victim is wrongly blamed for defaulting on a loan never truly authorized.
Another example of financial identity theft is when an offender obtains another's credit card or debit card account information, such as account number, account expiration date, card verification value or other data associated with an individual's credit card account. The offender then uses the information to create a counterfeit card or otherwise make purchases of goods and services at a point-of-sale, withdraw funds at an automatic teller machine or use the account information to make purchases over the telephone or via online web sites.
In most cases, financial identity theft is reported to a national consumer credit reporting agency or credit bureau as a collection or bad loan under the impersonated individual's record. The victim may discover the incident by being denied a loan, seeing the accounts, viewing their own financial transactions and history or by being contacted by creditors or collection agencies. The victim's credit score, which affects their ability to acquire new loans or credit lines, and rates on existing accounts may be adversely affected until they are able to successfully dispute the complaints and have them removed from their record. Other forms of financial fraud associated with identity theft include account takeovers, passing bad checks and “busting out” an account. A bust out is a sudden withdrawal of all available funds associated with deposit fraud. If withdrawals or checks are made against the impersonated individual's real accounts, that individual may need to convince the bank that the withdrawal was fraudulent or file a court case to retrieve lost funds. If checks are written against fraudulently opened checking accounts, the person receiving the checks will suffer the financial loss. However, the recipient of a check might attempt to retrieve money from the impersonated individual by using a collection agency. This activity would appear in the victim's credit history until the check was shown to be fraudulent.
Impersonating another's identity to deceive, for reasons other than financial gain, also has far-reaching consequences. Preventing identity deception has application to many circumstances where individual security is a primary concern. For example, the ability to authenticate the identity of an individual to prevent deception has application to law enforcement, public security, cyber crime and any online means where individuals have an expectation that existing security measures are adequate.
Identity deception occurs, for example, when an individual obtains someone else's electronic login information for access to a web-based online application such as a social networking web site. The individual successfully enters a username and password that belongs to the victim. Once accepted by the application, that individual has access to the victim's personal profile information and application features. Furthermore, the individual can establish and maintain communications with the victim's friends and family. The victim's personal profile information can be modified or deleted and other damage can be inflicted upon the victim for malicious purposes. Criminals, parolees and online predators can make use of the victim's identity for dangerous and deceptive purposes.
Credit card issuers and financial institutions, such as banks, attempt to limit financial identity theft and fraud losses by analyzing a variety of data and information associated with, for example, an automated credit card transaction. Rules-based “parameter analysis” is used along with pattern recognition and probabilistic techniques to determine the legitimacy of a card transaction. Parameter analysis techniques are used to examine, for example, the number of credit card transactions on a particular account within a specified period of time, say 24 hours, and the dollar amount of the transaction. If the number of transactions or the dollar amount exceed some pre-defined threshold, the transaction can be flagged as potentially fraudulent and further action can be taken. This action may be as drastic as denying the transaction and blocking the card holder's account. Parameter analysis, however, often times yields false-positive results, where the financial transaction is in fact legitimate, but falls outside the parameter thresholds set.
Probabilistic, or predictive, techniques include the use of statistical analysis and pattern recognition using many more parameters than are typically used in rules-based parameter analysis. Probabilistic techniques require the construction of behavioral models based on potentially hundreds of parameters to provide a probability that a particular financial transaction is fraudulent. These parameters typically include detailed data about multiple card holders, multiple merchants, multiple transactions and transaction histories that provide the ability to filter, screen and isolate those financial transactions which are likely to be fraudulent. Over time, this aggregated and detailed data about transactions are used to enhance the statistical model so patterns emerge. Thus, the statistical model is continually refined so that a particular transaction, when processed through the model, results in a more accurate determination of the likelihood of fraud. An example is found in U.S. Pat. No. 5,819,226 issued Oct. 6, 1998 to Gopinathan et al. which is fully incorporated herein by reference.
Probabilistic techniques and models to determine incidents of identity theft may be made more beneficial if a Personal Identity Value representing an individual user's characteristics is developed, rather than statistical models based on pattern recognition from many users' transaction characteristics. That is, authenticating the identity of an entity engaged in an automated activity or transaction has utility above and beyond systems that determine the likelihood that a transaction itself is fraudulent. It is desirable, therefore, to have an automated system that uses discrete available data regarding the entity, including the entity's wireless device location data, home location data and other Identity Data to create a Personal Identity Value for the entity that may be accessed by a variety of applications that require identity authentication. By using this method, false-positive indications of fraudulent activity may be further reduced.
The primary identifying characteristic of a particular wireless device is the dialable mobile directory number (MDN). The MDN can be up to 15 digits long and is a unique number worldwide among all wireless devices, regardless of country or telecommunications network operator. The format of the MDN has been standardized as the E.164 International Public Telecommunication Number by the International Telecommunications Union, a standards making organization within the United Nations. Because the MDN is unique worldwide to an entity's or individual's mobile service subscription and wireless device, it can be considered an extension of the unique identity of that wireless device's user.
Much of the utility of using an entity's or individual's wireless device as an extension of the identity of the user is enabled by the physical security of wireless devices. Wireless devices are inherently secure due to the properties of digital cellular telecommunications. Digital cellular technology has replaced analog cellular technology worldwide and with this advancement came cellular authentication. Cellular authentication uses a cryptographic security protocol and public key infrastructure that is only made possible by digital communications technology. This cryptographic security protocol prevents a mobile directory number from being used by any wireless device other than the one for which it was originally programmed. The only way to re-use a mobile directory number with another device is by special secure provisioning performed within secure network platforms by the wireless network operator. When this secure provisioning occurs, the mobile directory number is securely and solely associated with the device for which it is used. In the case of GSM networks, the secure wireless device is the subscriber identity module, or SIM card, which is associated with an individual and unique mobile service subscription. This is why a SIM card can be used in any GSM-based mobile phone without notifying the wireless network operator. In the case of CDMA networks, the wireless device is the mobile phone itself as SIM cards are not commercially supported.